suvodeep-pyne opened a new pull request, #17658: URL: https://github.com/apache/pinot/pull/17658
## Summary Adds support for custom token resolvers in the audit identity resolution pipeline via a new SPI (`AuditTokenResolver`). This enables handling proprietary token formats (e.g., custom API keys, non-JWT tokens) for audit logging without modifying core Pinot code. ### Key Changes - **`AuditTokenResolver` SPI** (`pinot-spi`): New interface for resolving user identity from arbitrary `Authorization` header values. Returns `AuditUserIdentity` or `null` to allow fallback to default JWT parsing. - **`AuditUserIdentity` interface** (`pinot-spi`): Functional interface representing a resolved identity with extensibility for future fields (roles, groups, etc.). `AuditEvent.UserIdentity` now implements this interface. - **`AuditIdentityResolver` updates** (`pinot-common`): Integrates the token resolver as priority 2 in the resolution chain (header → custom resolver → JWT). Resolvers are loaded lazily via `PluginManager` with thread-safe caching using an immutable `ResolverHolder` pattern. - **`AuditConfig` extension**: New `token.resolver.class` configuration property to specify the resolver implementation class. - **Tests**: Added `MockAuditTokenResolver` and comprehensive tests covering resolver success, fallback to JWT, priority ordering, plugin loading, and error handling for invalid resolver classes. ### Resolution Priority Order 1. Custom identity header (e.g., `X-User-Email`) 2. Custom token resolver (if configured via `token.resolver.class`) 3. JWT token parsing from `Authorization: Bearer` header ## Test plan - [x] Unit tests for custom resolver returning valid identity - [x] Unit tests for resolver returning null (fallback to JWT) - [x] Unit tests for priority ordering (header > resolver > JWT) - [x] Unit tests for PluginManager-based resolver loading - [x] Unit tests for invalid resolver class graceful fallback - [x] Unit tests for resolver receiving full auth header value -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
